Skype explains why security evaluation omitted bug reports

Security research and marketing don't mix

Analysis The recent emergence of two sets of serious security vulnerabilities in Skype, the popular VoIP communications software app, couldn't have come at a worse time for the firm. Disclosure of the security flaws came days after the publication of a security evaluation of the Skype that wrote about its security model in glowing terms.

Dr Thomas A Berson, an independent cryptographer and computer security expert and author of the report (PDF), admitted in the document that his four month evaluation (which largely focused on cryptographic issues) was incomplete. This statement turned out to be too true after it emerged Security researchers identified two groups of potentially serious security vulnerabilities involving Skype.

In the first case, a security bug in the Skype for Windows means the software can be crashed and forced to execute arbitrary code through a buffer overflow when presented with malformed URLs in the Skype-specific URI format callto:// and skype://. Skype can also be made to execute arbitrary code via the importation of a maliciously formated VCARD (an electronic business card format).

A second security vulnerability covers a heap-based buffer overflow security flaw that is not restricted to Windows PCs and hits Skype across all supported platforms. Skype has published security updates designed to guard against both flaws.

A series of unfortunate coincidences

Kurt Sauer, director of security operations at Skype, admitted that the bugs - particularly the URL flaw - were critical. "It wouldn't be rocket science to build proof-on-concept code," he said. Although Berson found the Windows flaw, which stems from a bug in a Delphi package used to build the Skype user interface, he didn't spot the cross-platform flaw raising doubts about the how much weight can be attached to the report. The omission of any mention of the Windows flaw in Berson's security evaluation calls into quesiton its completeness and the timing of its publication. Sauer said it was "not appropriate to stop anything" because a coincidence between the timing of Berson's report and the emergence of security flaws it knew about, but wasn't ready to publically disclose, at the time of the publication of Berson's report. "We're not going to try to hide a serious problem," he said.

Skype acted within days of notification of security problems to produce security updates but Berson's report would surely have benefited from mention of how the firm handled its first set of security bugs. It ought to have been delayed to allow this information to be appended. There seems to be no compelling why Skype needed to publish the evaluation last month other than dove tailing with an energetic PR campaign it mounted based on the report's publication. The practice of firms trying to gain publicity capital from security studies is akin to scientists trying to get the press interested in discoveries before submitting them to peer review. Marketing and security research are uneasy bed fellows at the best of times and this wasn't the best of times for Skype.

Second opinion

Sauer said he called in Berson because he wanted an independent researcher in developing a security framework that would guide the work of Skype's developers. "We didn't want to have a long engagement with a large lab which would cost millions. All we wanted was unvarnished advice from an outsider," Sauer explained. "Doing a Common Criteria evaluation would have involved a very large commitment of personnel and long lead times. There is no perfect scheme."

The tone of Berson's report - which reads like that of a technically knowledgeable enthusiast rather than an impartial expert - and its apparent focus on cryptographic issues has been seized upon by critics but Sauer said the evaluation had been a success. "The report has helped us make changes to our already good design practice. Code review may not but Berson's forte but this report will help us improve. Our current processes failed to pick up last month's security vulnerabilities but these will be improved," he added. ®